ISPs around the world are being attacked by self-replicating malware that
can take complete control of widely used wireless networking equipment,
according to reports from customers and a security researcher who is
following the ongoing campaign.

San Jose, California-based Ubiquiti Networks confirmed on Friday that
attackers are actively targeting a flaw in AirOS, the Linux-based firmware
that runs the wireless routers, access points, and other gear sold by the
company. The vulnerability, which allows attackers to gain access to the
devices over HTTP and HTTPS connections without authenticating themselves,
was patched last July, but the fix wasn't widely installed. Many customers
claimed they never received notification of the threat.

Nico Waisman, a researcher at security firm Immunity, said he knows of two
Argentina-based ISPs that went dark for two days after being hit by the
worm. He said he's seen credible reports of ISPs in Spain and Brazil being
infected by the same malware and that it's likely that ISPs in the US and
elsewhere were also hit, since the exploit has no geographic restrictions.
Once successful, the exploit he examined replaces the password files of an
infected device and then scans the network it's on for other vulnerable
gear. After a certain amount of time, the worm resets infected devices to
their factory default configurations, with the exception of leaving behind
a backdoor account, and then disappears. Ubiquiti officials have said
there are at least two variations, so it's possible that other strains
behave differently.